5 MINUTES AND 5 STEPS LATER…
6. Read the 'Fine' Manual at Wordpress.org. Some may argue that this should be the first step and I may tend to agree, but we are focusing on the hardening of Wordpress, and those details may get lost if we tackle the entire manual at once. But notice how in order to follow the 5 steps above, you would need to access the manual anyway. Nevertheless, make sure you RTFM as soon as the above 5 steps are done. Remember, setting up a self-hosted blog and not managing it beyond the "5 minute install" is NOT like leaving your VCR (Does anybody still remember these, or do I need to wiki VCR for you? 
) blinking "12:00" because you didn't know how to program it. The only thing these 2 happenings have in common is that they occur to an alarmingly, frustrating degree. But that's where the comparision ends… In the case of the VCR, I don't think anybody cares about what's in it… heck, probably neither do you. You may even have a video cassette still sitting in there from 1999, where you left the world of analog video for good. But I digress…
The point is that people who don't care about your blog, will look to damage it in any way they can. So you need to know your blogsite, inside and out, or it may be turned inside-out.
7. Stay up-to-date on your plugin/widget, theme, and Wordpress versions. Again, having fewer plugins and themes makes this a whole lot easier. Also, subscribing to the plugin/widget/theme Author's RSS feeds makes keeping up with them much easier.
A common question I hear is whether you should install the latest patches even if they are not 'security' related…
The answer is Yes! Just remember that the MS-Code Red worm would not have made much, if any, impact if MS-IIS admins had simply installed a patch that had been available for at least a month prior to the outbreak. The Open Source Vulnerability Database (OSVDB) and Wordpress.org are goods place to keep track of the latest bugs and fixes for Wordpress. You can also join the Wordpress Release Mailing List at: http://wordpress.org/download/.
8. Don't forget to keep track of vulnerabilities in the Web Server, Database Server and their Underlying Operating Systems as well. Wordpress is only the final part of the overall web-hosting package (Wordpress, Web Server/Database Server, Operating System), and a vulnerability in any of these can lead to exploitation of your site. Though this is much less of a concern if you are only managing the Wordpress Installation at a Web-hosting service, you need to be aware that a risk still exists.
Do you know what versions of web server, database server, and operating system your provider is running? I think you should find out at least this much… immediately. Then, if you are so inclined, you can research any vulnerabilities in these at OSVDB.org.
9. Always, always take regular backups of your site. This includes the file directories as well as the database. Remember… Availability is a key component of the Security Triad.
10. And if you have the time, I would suggest running the blog over an SSL connection, since the usernames/passwords are being transmitted in clear-http hypertext. (Your web-host needs to support SSL) Notice the http:// in the browser address bar, without an 's'? That means that everything you type to your blogsite or receive back from your blogsite is visible to someone eavesdropping on the network, potentially compromising yours or one of your Blog's member's accounts. And if you happen to be blogging in the Administrator or Editor Roles…. Game over!! You MUST always expect someone to be listening in on your web traffic at any public internet hotspot.
Two ways around this are:
- Install SSL on the server hosting your blog and install the one of the many "Administration over SSL" plugins available. (If you happen to lose access to your site after loading this plugin, simply delete the plugin from the wp-content/plugins directory.)
- If this is not possible, try running an anonymizer like 'tor' on your PC. While this will not protect others from eavesdroppers, it will at least serve to encrypt your traffic till it reaches the blog webhost.
Note: The advice given is for informational purposes with no liability expressed or implied to be assumed by the author. You are responsible, as always, for anything that happens with your site.
Some low-level details and explanations were skipped, as they would clutter the article body. If you would like clarification on any term or topic or wish to pursue this discussion further… please feel free to comment.
![[Most Recent Quotes from www.kitco.com]](http://www.kitconet.com/charts/metals/gold/tny_au_en_usoz_2.gif)
